Maybe you're referring to a Jail, a folder where a specific user will be confined.
I will try to resume an example of configuration:
1) Environment Preparation
You need to do some steps to prepare Jail environment. We have to respect some security limitations imposed by SSH (if you want, you can disable them, byt it's really a bad idea!).
- Jail folder must be root-owned
- Jail fodler cannot be group/others writable
.ssh/
folder must have modes 700
authorized_keys
file must have modes 600
Let's assume you have a user whose username is echoes
and whose home directory is /home/echoes/
and let's assume we want to confine it into its own home directory.
Let's assume, as you say, we want to use an SFTP account with public-key authorization mechanism for it.
mkdir /home/echoes/.ssh
# write echoes public-key into /home/echoes/.ssh/authorized_keys
chown root /home/echoes/
chmod 755 /home/echoes/
chown -R echoes:echoes /home/echoes/.ssh/
chmod 700 /home/echoes/.ssh/
chmod 600 /home/echoes/.ssh/authorized_keys
2) SSH Configuration
Now we need to match the user and confine it into its own home directory. So, let's open SSH Server configuration file:
vim /etc/ssh/sshd_config
Enable the internal-sftp
to manage sftp connections:
Subsystem sftp internal-sftp
Copy-Paste following lines into sshd_config
configuration file. We are saying: when you match echoes
, just move it into the folder defined by ChrootDirectory
(its onw home folder in this example).
Match user echoes
ChrootDirectory /home/echoes/
ForceCommand internal-sftp
3) Allowing writing operations inside a sub-folder
As you can see, the home folder of user is now root-owned, so echoes
will not be able to write some files into it. For that reason, you can create a new sub-folder (i.e. echoes-write
) allowing user to write inside it:
mkdir /home/echoes/echoes-write/
chown echoes:echoes /home/echoes/echoes-write/
chmod ug+w /home/echoes/echoes-write/
4) Move automatically into its own writable folder
If you need to automatically:
Match user -> Move it into a Jail -> Move it automatically into its writable sub-folder of its own Jail, let me know and I will try to resume that scenario as configuration steps.
As you didn't write info about your system, I have made lots of assumptions.